IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Google Ads





STATEMENT OF

VICE ADMIRAL RICHARD W. MAYO, USN
DIRECTOR, SPACE, INFORMATION WARFARE,
COMMAND AND CONTROL
OFFICE OF THE
CHIEF OF NAVAL OPERATIONS
ON INFORMATION TECHNOLOGY:  AN EXAMINATION OF DOD NETWORK VULNERABILITIES

MAY 17, 2001

Chairman Weldon, distinguished members of the Readiness Subcommittee, I am Vice Admiral Dick Mayo, Director of Space, Information Warfare, and Command and Control on the Navy staff.  Thank you for the opportunity to appear today and discuss the Navy approach, accomplishments and challenges with protecting our information networks.  My comments focus on the nature of the Navy's computer network defenses and the measures we have taken to strengthen the security of our systems.  I will also update you on the Navy/Marine Corps Intranet (NMCI) initiative.

Our Navy is currently transitioning to an entirely new and innovative way of conducting operations through the implementation of the concept for Network-Centric Operations (NCO).  Network-Centric Operations represents a truly revolutionary approach to warfighting, shifting emphasis from attrition-based warfare, reliant on the firepower of loosely coordinated individual platforms, to Effects-Based Operations intended to achieve our warfighting objectives through carefully planned and integrated actions against key enemy vulnerabilities.  NCO draws combat power from the networking of a multitude of platforms, weapons, sensors, and command and control entities, collectively self-organized through access to common view of the battlespace.  The enabling technology foundation for this new mode of operations is a network backbone, applying common standards for hardware, software, and communication protocols.  The first evolutionary implementation is the deployment of a single naval network applying Internet Protocol communication standards, afloat with the Information Technology for the 21st Century (IT21) initiative and ashore with the Navy/Marine Corps Intranet (NMCI).   Investments in our Navy, such as NMCI and IT21, guarantee the freedom of the seas that ensures the uninterrupted flow of maritime trade that is critical to U.S. economic prosperity.  Navy's forward deployed forces represent sovereign combat power overseas in regions of U.S. interest, providing timely response in crisis as well as capabilities to project both offensive and defensive power ashore to assure access for the Joint force.

 Our growing reliance on a standardized and seamless Navy/Marine Corps-wide network creates vast new synergies for improved operational efficiencies; however, it also presents formidable challenges to the protection of our information systems as well as the integrity of our information resources.  The increasing interconnectivity of our forces through networking provides additional opportunities for intrusion into our network infrastructure, deception through manipulation of our information resources, or outright computer network attack.  The requirement to operate across multiple security levels that are interoperable not only across the military services, but also with our Allies and coalition partners, and with unclassified entities within industry, government, and academia provides many avenues for exploitation and attack.  The protection of the Navy's information networks and its ability to support our forces must be preserved throughout the full spectrum of operational conditions.

As the Navy's Chief Information Officer and Director for Space, Information Warfare, Command and Control, I am the principal agent for the Navy in the area of Information Assurance.  The Navy's strategy for Information Assurance applies a comprehensive set of defensive measures that we call "defense-in-depth," employing a layered, end-to-end approach.  Security protection mechanisms are employed throughout the network architecture beginning with the external network boundaries and firewalls down to the application layer.  In its most essential sense, defense-in-depth consists of the technologies we employ in the network to monitor and control activity, the policies we enforce to define permissible activities, and, most importantly, the training we provide to all hands because, in the final analysis, computer network defense is something you DO, not something you buy.  To support this strategy for "defense-in-depth," the Navy has created several new organizations that are at the forefront in the development of innovative technologies, processes and applications for Information Assurance.

In the realm of tools and technologies, the Commander, Space and Naval Warfare Systems Command (SPAWAR) is responsible for procurement, installation and management of security devices that comprise our protection systems. We have designated SPAWAR's IA program manager as the IA technical and certification authority on all technical security matters.  SPAWAR determines which firewalls, intrusion detection systems, high assurance guards and other devices will be employed within the network.  Additionally, SPAWAR oversees the certification of new systems and applications to be used in the network space, providing network-wide standards for quality control and compliance.  Navy's IA technical authority also maintains a web site as an up-to-date resource that includes an IA software toolkit (such as virus scanners and a secure copying program), IA policy and guidance, and certification templates.  The technical authority also develops our IA technical publications that contain detailed defensive system configuration guidance, and IA technical procedures in general.  Most importantly, the technical authority works with acquisition program managers throughout the Department of the Navy to ensure that technical security requirements are being met in all programs.

As a consequence of a computer network intrusion labeled "Solar Sunrise," then-DEPSECDEF, Dr. Hamre, created a standing Joint Task Force for Computer Network Defense (JTF-CND) and directed each service to stand up a component force; Navy complied by creating a new command, the Navy Component Task Force for Computer Network Defense (NCTF-CND) on 31 Jan 1999.  NCTF-CND conducts continuous IA vulnerability alerts, implements Information Operations Conditions (INFOCONs), and works directly with the Joint Task Force for Computer Network Defense (JTF-CND), now known as the Joint Task Force for Computer Network Operations (JTF-CNO).  NCTF-CND's mission is to coordinate the defense of Navy computer networks and systems.  This includes Navy defensive actions with non-government agencies and appropriate private organizations.  NCTF-CND is our single point of contact for detecting, protecting, reacting and responding to threats against Navy networks.  It has authority to initiate and coordinate reactive, proactive and precautionary defense measures.  It is also charged with monitoring the status of Information Assurance Vulnerability Alert (IAVA) compliance.  Following incidents, NCTF-CND directs and coordinates restoration of the networks while maintaining network functionality.  As the central collection point for Navy incidents, NCTF-CND is responsible for oversight, coordination and correlation of disparate computer and network incidents.

Since its creation, the NCTF-CND has issued twenty-eight directive IA vulnerability messages to mitigate computer network vulnerabilities.   NCTF-CND also conducted a Navy-wide INFOCON exercise in late 1999, the results of which contributed greatly to our understanding of the operational impact of INFOCONs and the need for detailed response procedures.  According to statistics maintained by the Joint Staff, Navy has a perfect record of following up and enforcing such directives.  However, I candidly acknowledge that the vulnerabilities of which I speak are only one mis-configuration away from reappearing, so we must stay ever watchful because people do make mistakes.  To aid us in this process, NCTF-CND has the authority to conduct "on-line surveys" whenever and wherever it sees the need.  An "on-line survey" maps a network segment to evaluate which ports are open, which aren't, and overall what's right and what's not.

At the operating level, our Fleet Information Warfare Center (FIWC) is responsible for the detection and remediation of computer incidents.  FIWC conducts intrusion detection, incident reporting, and runs the Naval Computer Incident Response Team (NAVCIRT).  FIWC works directly with other service, agency and commercial incident response teams to leverage the solutions and lessons learned for timely response.  FIWC works with the Numbered Fleet Commanders and Battle Group Commanders to conduct aggressive "red team" efforts during Joint Task Force Exercises.  In this way, we can detect IA problems, conduct on-the-job system administrator training under IA stress conditions, and heighten IA awareness as part of deployment preparations.  FIWC also leads an extensive partnership with our Naval Reserve forces oriented on maintaining the security of our publicly accessible web sites.  In a perfect "total force" application, we use reservists, during their scheduled drill periods in their home drilling centers, to access and review each of the Navy's over-1500 public websites every year.  These reviews encompass administrative, privacy and operations security requirements and use web tools to automatically generate specific deficiency notices to webmasters, enabling them to correct problems in real time.  FIWC supervises and coordinates the release of these notices, which provides webmasters with 24x7 help desk support if they have questions.

We have worked hard to improve and keep our policies relevant in the information age.  The overarching Navy IA directive was completely updated last year, and it made provision for a series of technical security publications, much easier to create and update, to stay current with the technology.  We've issued sixteen of these policy directives-all accessible over the web, of course.  Navy and Marine Corps together issued the first formal policy defining the requirements and configurations for firewalls, a foundation the Joint Staff is now building on to embrace the entire Defense Department.  Most recently, we issued a policy regarding the use of portable electronic devices such as personal data assistants (PDAs) in our networks.  In a macro sense, our policy is simple-we want to take maximum advantage of the phenomenal power of information technologies to accomplish our combat and combat support missions, yet understand and make provision for the fact that each of these technologies is a sword that cuts both ways-all the power for good operators is also potential power for adversaries.  We balance the good and evil, mitigate risks as we can, remain ever vigilant and train our people to be the best.

With this policy approach, we employ the kinds of tools I've alluded to earlier to protect our information, detect intrusion attempts, and react/recover as necessary.  When it comes to protecting our information, the first line of defense is NSA-provided cryptography.  Without belaboring the point, there are now over 400,000 such cryptographic products of varying types in our inventory for voice, video and data; for Navy, Joint and Allied/coalition use.  We are working closely with the NSA on a cryptographic modernization road map; I ask your support for the NSA road map to modernize the cryptography, which is the true linchpin to protecting classified information.  Related to but distinct from this cryptographic modernization effort is the Defense Department's implementation of a Public Key Infrastructure (PKI), which can and will become a powerful implement for authenticating our transactions, ensuring the integrity of our data, and guaranteeing that we are who we say we are online.  We are committed to getting PKI right, but I've come to appreciate that it isn't the "PK" part that's hard, it's the "I" part-it will take us time to scale PKI across the whole of the DOD infrastructure, and it will take new money to recode our service applications to "recognize" PKI, which otherwise is nothing more than a string of gibberish.

The arena of detecting malicious activity is challenging.  One notable item relates to development of an Intelligent Agent Security Module, a smart detector that doesn't rely on a priori information as today's intrusion detectors do; we have received initial Congressional funding for this R&D and are pushing it hard.  Finally, the business of reacting to intrusions is dependent on broad situational awareness, as you have to know what the good guys and bad guys are doing if you want to prevail.  So, we built our NCTF-CND organization from the start to be linked with both our network managers, our intelligence assets and, importantly, we put billets into its force structure to oversee computer network attack.  We are encouraged that USCINCSPACE has recently expanded the scope of its computer network defense Joint Task Force to include all computer network operations.

Before I turn to our NMCI initiative which, by the way, was designed with network security in mind from the outset, I'd like to spend a few more minutes on our IA training, because we get more network security from each dollar we spend training Sailors than we do from all the firewalls, access controllers and intrusion detection systems put together.  So, we've committed ourselves to an unending training crusade, one that strengthens our defenses, keeps faith with our people and, interestingly, improves retention.  It is a fact that the more we train our IT people, the more they stay Navy-after their first enlistment, after their second enlistment, and even after their third enlistment.  Since we instituted this training regime, these Sailors have clearly exceeded all Navy averages.

            We do a lot in this crusade, but I'd like to highlight only three areas.  First, we have created four core courses for our information professionals, from apprentice-level systems administrator through masters-level network analysts, and we teach these courses in a number of places, where the Sailors live; we also make extensive use of commercial training products to supplement these core courses.  Second, we're in the second year of a partnership with Tidewater Community College to take teams of young Americans from the point of enlistment to holders of an Associate of Sciences degree in Information Technology in just one year.  When they complete this program, together, they serve the rest of their six-year obligations in the same Battle Group, forming a true team that makes the entire Battle Group better.  Finally, we now view training requirements through the lens of the deploying Battle Group Commander instead of the traditional personnel rotation and distribution system.  This means that, at the outset of the deployment planning process, we define all the IT skills the Battle Group will need when it casts off the last line and deploys, then we bend the training world to these needs, distinct from and of a higher priority than the normal "you get school only when you transfer" process.  By this means, we have a much greater assurance that our naval forces will be able to defend their networks just as they defend their ships in the world's littorals.

Navy-Marine Corps Intranet

NMCI is the shore component of the naval network; it will provide capabilities for state of the art voice, video and data information services from a commercial provider.  Our vision is to build the modern Navy and Marine Corps on the transformational power of networking, and we will do this by the merging of the many dissimilar networks currently deployed into a single, seamless and integrated network across the Navy's shore-based infrastructure.  Through increased access to information and the power of collaboration across the Navy's mission and functional areas, NMCI together with IT21, will support innovative work and training to improve the productivity and quality of service for every Sailor, Marine, and DoN civilian employee.

Standardization of hardware, software, training and operational procedures for network management will vastly improve information security, interoperability at all levels, while enhancing our capabilities for information superiority.  The creation of a single contract for the majority of the Navy's shore-based IT network costs will optimize the cost per unit for IT services by increasing accountability and visibility of IT assets. 

Here's where we are in realizing these goals.  On October 6, 2000 we awarded a five-year firm fixed price contract to Electronic Data Systems (EDS).  The process for transitioning Navy networks to the new NMCI environment began in December 2000 when EDS assumed responsibility for managing a portion of the Navy's "as-is" networks.  To date EDS has assumed responsibility for over 43,000 seats in the "as-is" state and current plans call for these first increment seats to cutover to the NMCI environment in mid-June. 

Assembly of the first two network operations centers and help desks in San Diego and Norfolk are on track and we expect them to be online before the first new seats roll out in mid-June.  Contractor testing has already begun in vendor laboratories and will continue at the designated test sites this spring and early summer.  We plan for the Commander, Operational Test and Evaluation Force (COMOPTEVFOR) to start operational testing immediately following the completion of contractor testing.  Joint Interoperability Test Command (JITC) will be conducting interoperability testing of joint applications concurrently.

The Navy/Marine Corps Intranet is a unique opportunity for the Department of the Navy to make a dramatic leap forward in security.  First of all, it's important that the NMCI contract is constructed with service level agreements (SLAs) requiring the vendor's compliance in order to be paid the full price for seat services.  Several agreements are directly related to security, with measurable attributes for which metrics will be collected, enhancing our information assurance posture in a number of ways. 

- We will consolidate hundreds of disparate networks throughout the Department, providing us with a Navy and Marine Corps-wide, trusted intranet protecting our information from outside attack.

- NMCI's security requirements will bring the DoN into alignment with the "defense in depth" concepts in the Joint Global Information Grid (GIG) architecture. 

- DoD Public Key Infrastructure (PKI) will be integral to NMCI and bring the DoN into compliance with DoD mandates for PKI implementation. 

- As NMCI consolidates hundreds of disparate networks, we will achieve, for the first time, a Navy/Marine Corps-wide network intrusion detection and monitoring capability. 

- NMCI's six network operations centers (NOC) and the co-location of NCTF-CND, the Navy's Computer Network Defense command; Commander Task Force NMCI (CTF NMCI) and the Marine Corps Information Technology Network Operating Center (MITNOC), the two services' commands charged with command and control of the network, will significantly improve our visibility into the department's networking infrastructure and our ability to defend it.   

In summary, improved security is probably the greatest value-added by NMCI.  The NMCI architecture framework defines four defensive "boundaries" in conjunction with our overall IT defense-in-depth strategy, ranging from the external network boundary to the application layer.  These boundaries will be used to define specific, layered security measures.  Our NMCI guidance also delineates security requirements for technical and quality of service standards.  The requirements encompass content monitoring, content filtering, virtual private network (VPN) and encryption standards, standards for PKI-enabled applications, and web security.  Further, the NMCI sets the qualification standards required for contract systems administrators and network managers.  "Red Teams" are also established under the NMCI to determine the effectiveness of contract fulfillment toward security requirements and to perform ongoing network vulnerability and risk assessment.  A "Blue Team" will verify security configuration management and approve all security architecture choices and security procedures.   The NMCI vendor will be responsible for providing raw data that will be analyzed by Navy to determine whether an incident has occurred as well as the magnitude of any incident.  None of these security measures can be guaranteed without an intranet of common standards and required quality of service.

Since the beginning of this year, Navy has recognized nineteen computer network incidents on unclassified systems.  Our experience with these and past intrusion attempts validates the importance of maintaining a technically astute, responsive IA organization at a Service level.  Although we train our System Administrators to run their systems as securely as possible, and we keep them up-to-date with IAVAs, NAVCIRT advisories, and other timely technical information, there is always variation in local procedures, complex software version upgrades, and network reconfigurations.  With NMCI, centralized system administration will give us the ability to dynamically and remotely implement (i.e., "push") "best practices", countermeasures, and secure network configurations to permit a near-real time, technologically uniform implementation of IAVAs and technical advisories Navy-wide.  For example, while local commands would continue to author the content of organizational web pages, the web pages themselves would reside on uniformly and centrally configured NMCI servers-configured in accordance with DoD/DoN best practices.  Vulnerability to web page "hacks" will be uniformly mitigated across the enterprise.

NMCI will also accelerate the desired proliferation of Class 3 PKI-enabled web pages and authentication measures for appropriately authorized access to, and modification of, Navy web sites.  The uniform implementation of PKI/certificate authorities and anti-virus signatures in NMCI will considerably reduce risks of external intruder root access gained by the "sniffing" of passwords, and from unsolicited e-mail with malicious attachments or "Trojan horses", such as last year's "Melissa" episode.

Conclusion 

In conclusion, we've done a lot and continue to work hard at improving Navy network security, and we do so in close collaboration with the other services and DOD agencies.  The power of the worldwide web-you can reach out and touch anywhere-is also its weakness, and the United States, with almost half of the world's computing resources, is a gigantic target for amateurs and those who would do us harm.  You've received many statistics regarding how many probes, events, intrusions and losses of positive control occur.  Navy is no exception.  The National Infrastructure Protection Center (NIPC) predicts that any vulnerability, once created, will be exploited within eight hours, and I believe it.  A few months ago, a server at a Naval facility was mis-configured during routine system clean-up and restoral.  This facility was NOT a high value or even high interest target, yet the vulnerability created was, in fact, exploited within eight hours, and the intruder gained root privileges in that system for a short time, just as NIPC predicted.  Thomas Jefferson once said, "Eternal vigilance is the price of freedom."  It has never been more true than in this age of information.

Thank you.


House Armed Services Committee
2120 Rayburn House Office Building
Washington, D.C. 20515

IWS Mailing Lists






Mailing Lists Overview